Comparing version 6.1.0 to 6.1.1
# Changelog | ||
## 6.1.1 - 2023-04-08 | ||
### Fixed | ||
- Fixed missing package metadata | ||
## 6.1.0 - 2023-04-08 | ||
@@ -4,0 +10,0 @@ |
{ | ||
"name": "helmet", | ||
"version": "6.1.0", | ||
"description": "help secure Express/Connect apps with various HTTP headers", | ||
"version": "6.1.1", | ||
"author": "Adam Baldwin <adam@npmjs.com> (https://evilpacket.net)", | ||
@@ -18,2 +19,11 @@ "contributors": [ | ||
"license": "MIT", | ||
"keywords": [ | ||
"express", | ||
"security", | ||
"headers", | ||
"backend" | ||
], | ||
"engines": { | ||
"node": ">=14.0.0" | ||
}, | ||
"exports": { | ||
@@ -20,0 +30,0 @@ ".": { |
328
README.md
@@ -13,8 +13,8 @@ # Helmet | ||
```js | ||
const express = require("express") | ||
const helmet = require("helmet") | ||
const express = require("express"); | ||
const helmet = require("helmet"); | ||
const app = express() | ||
const app = express(); | ||
app.use(helmet()) | ||
app.use(helmet()); | ||
@@ -27,7 +27,7 @@ // ... | ||
```js | ||
import helmet from "helmet" | ||
import helmet from "helmet"; | ||
const app = express() | ||
const app = express(); | ||
app.use(helmet()) | ||
app.use(helmet()); | ||
``` | ||
@@ -58,6 +58,6 @@ | ||
app.use( | ||
helmet({ | ||
referrerPolicy: {policy: "no-referrer"} | ||
}) | ||
) | ||
helmet({ | ||
referrerPolicy: { policy: "no-referrer" }, | ||
}) | ||
); | ||
``` | ||
@@ -70,6 +70,6 @@ | ||
app.use( | ||
helmet({ | ||
contentSecurityPolicy: false | ||
}) | ||
) | ||
helmet({ | ||
contentSecurityPolicy: false, | ||
}) | ||
); | ||
``` | ||
@@ -86,28 +86,28 @@ | ||
```js | ||
import helmet from "helmet" | ||
import helmet from "helmet"; | ||
// ... | ||
app.use(helmet()) | ||
app.use(helmet()); | ||
``` | ||
```js | ||
import * as helmet from "helmet" | ||
import * as helmet from "helmet"; | ||
// ... | ||
app.use(helmet.contentSecurityPolicy()) | ||
app.use(helmet.crossOriginEmbedderPolicy()) | ||
app.use(helmet.crossOriginOpenerPolicy()) | ||
app.use(helmet.crossOriginResourcePolicy()) | ||
app.use(helmet.dnsPrefetchControl()) | ||
app.use(helmet.frameguard()) | ||
app.use(helmet.hidePoweredBy()) | ||
app.use(helmet.hsts()) | ||
app.use(helmet.ieNoOpen()) | ||
app.use(helmet.noSniff()) | ||
app.use(helmet.originAgentCluster()) | ||
app.use(helmet.permittedCrossDomainPolicies()) | ||
app.use(helmet.referrerPolicy()) | ||
app.use(helmet.xssFilter()) | ||
app.use(helmet.contentSecurityPolicy()); | ||
app.use(helmet.crossOriginEmbedderPolicy()); | ||
app.use(helmet.crossOriginOpenerPolicy()); | ||
app.use(helmet.crossOriginResourcePolicy()); | ||
app.use(helmet.dnsPrefetchControl()); | ||
app.use(helmet.frameguard()); | ||
app.use(helmet.hidePoweredBy()); | ||
app.use(helmet.hsts()); | ||
app.use(helmet.ieNoOpen()); | ||
app.use(helmet.noSniff()); | ||
app.use(helmet.originAgentCluster()); | ||
app.use(helmet.permittedCrossDomainPolicies()); | ||
app.use(helmet.referrerPolicy()); | ||
app.use(helmet.xssFilter()); | ||
``` | ||
@@ -124,3 +124,3 @@ | ||
// Includes all 15 middlewares | ||
app.use(helmet()) | ||
app.use(helmet()); | ||
``` | ||
@@ -133,6 +133,6 @@ | ||
app.use( | ||
helmet({ | ||
frameguard: false | ||
}) | ||
) | ||
helmet({ | ||
frameguard: false, | ||
}) | ||
); | ||
``` | ||
@@ -145,8 +145,8 @@ | ||
app.use( | ||
helmet({ | ||
frameguard: { | ||
action: "deny" | ||
} | ||
}) | ||
) | ||
helmet({ | ||
frameguard: { | ||
action: "deny", | ||
}, | ||
}) | ||
); | ||
``` | ||
@@ -196,56 +196,56 @@ | ||
app.use( | ||
helmet.contentSecurityPolicy({ | ||
directives: { | ||
"script-src": ["'self'", "example.com"], | ||
"style-src": null | ||
} | ||
}) | ||
) | ||
helmet.contentSecurityPolicy({ | ||
directives: { | ||
"script-src": ["'self'", "example.com"], | ||
"style-src": null, | ||
}, | ||
}) | ||
); | ||
// Sets "Content-Security-Policy: default-src 'self';script-src 'self' example.com;object-src 'none';upgrade-insecure-requests" | ||
app.use( | ||
helmet.contentSecurityPolicy({ | ||
useDefaults: false, | ||
directives: { | ||
defaultSrc: ["'self'"], | ||
scriptSrc: ["'self'", "example.com"], | ||
objectSrc: ["'none'"], | ||
upgradeInsecureRequests: [] | ||
} | ||
}) | ||
) | ||
helmet.contentSecurityPolicy({ | ||
useDefaults: false, | ||
directives: { | ||
defaultSrc: ["'self'"], | ||
scriptSrc: ["'self'", "example.com"], | ||
objectSrc: ["'none'"], | ||
upgradeInsecureRequests: [], | ||
}, | ||
}) | ||
); | ||
// Sets the "Content-Security-Policy-Report-Only" header instead | ||
app.use( | ||
helmet.contentSecurityPolicy({ | ||
directives: { | ||
/* ... */ | ||
}, | ||
reportOnly: true | ||
}) | ||
) | ||
helmet.contentSecurityPolicy({ | ||
directives: { | ||
/* ... */ | ||
}, | ||
reportOnly: true, | ||
}) | ||
); | ||
// Sets the `script-src` directive to "'self' 'nonce-e33ccde670f149c1789b1e1e113b0916'" (or similar) | ||
app.use((req, res, next) => { | ||
res.locals.cspNonce = crypto.randomBytes(16).toString("hex") | ||
next() | ||
}) | ||
res.locals.cspNonce = crypto.randomBytes(16).toString("hex"); | ||
next(); | ||
}); | ||
app.use( | ||
helmet.contentSecurityPolicy({ | ||
directives: { | ||
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`] | ||
} | ||
}) | ||
) | ||
helmet.contentSecurityPolicy({ | ||
directives: { | ||
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`], | ||
}, | ||
}) | ||
); | ||
// Sets "Content-Security-Policy: script-src 'self'" | ||
app.use( | ||
helmet.contentSecurityPolicy({ | ||
useDefaults: false, | ||
directives: { | ||
"default-src": helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc, | ||
"script-src": ["'self'"] | ||
} | ||
}) | ||
) | ||
helmet.contentSecurityPolicy({ | ||
useDefaults: false, | ||
directives: { | ||
"default-src": helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc, | ||
"script-src": ["'self'"], | ||
}, | ||
}) | ||
); | ||
@@ -255,8 +255,8 @@ // Sets the `frame-ancestors` directive to "'none'" | ||
app.use( | ||
helmet.contentSecurityPolicy({ | ||
directives: { | ||
frameAncestors: ["'none'"] | ||
} | ||
}) | ||
) | ||
helmet.contentSecurityPolicy({ | ||
directives: { | ||
frameAncestors: ["'none'"], | ||
}, | ||
}) | ||
); | ||
``` | ||
@@ -283,6 +283,6 @@ | ||
// Sets "Cross-Origin-Embedder-Policy: require-corp" | ||
app.use(helmet.crossOriginEmbedderPolicy()) | ||
app.use(helmet.crossOriginEmbedderPolicy()); | ||
// Sets "Cross-Origin-Embedder-Policy: credentialless" | ||
app.use(helmet.crossOriginEmbedderPolicy({policy: "credentialless"})) | ||
app.use(helmet.crossOriginEmbedderPolicy({ policy: "credentialless" })); | ||
``` | ||
@@ -309,6 +309,8 @@ | ||
// Sets "Cross-Origin-Opener-Policy: same-origin" | ||
app.use(helmet({crossOriginOpenerPolicy: true})) | ||
app.use(helmet({ crossOriginOpenerPolicy: true })); | ||
// Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups" | ||
app.use(helmet({crossOriginOpenerPolicy: {policy: "same-origin-allow-popups"}})) | ||
app.use( | ||
helmet({ crossOriginOpenerPolicy: { policy: "same-origin-allow-popups" } }) | ||
); | ||
``` | ||
@@ -320,9 +322,9 @@ | ||
// Sets "Cross-Origin-Opener-Policy: same-origin" | ||
app.use(helmet.crossOriginOpenerPolicy()) | ||
app.use(helmet.crossOriginOpenerPolicy()); | ||
// Sets "Cross-Origin-Opener-Policy: same-origin-allow-popups" | ||
app.use(helmet.crossOriginOpenerPolicy({policy: "same-origin-allow-popups"})) | ||
app.use(helmet.crossOriginOpenerPolicy({ policy: "same-origin-allow-popups" })); | ||
// Sets "unsafe-none-Opener-Policy: unsafe-none" | ||
app.use(helmet.crossOriginOpenerPolicy({policy: "unsafe-none"})) | ||
app.use(helmet.crossOriginOpenerPolicy({ policy: "unsafe-none" })); | ||
``` | ||
@@ -351,6 +353,6 @@ | ||
// Sets "Cross-Origin-Resource-Policy: same-origin" | ||
app.use(helmet({crossOriginResourcePolicy: true})) | ||
app.use(helmet({ crossOriginResourcePolicy: true })); | ||
// Sets "Cross-Origin-Resource-Policy: same-site" | ||
app.use(helmet({crossOriginResourcePolicy: {policy: "same-site"}})) | ||
app.use(helmet({ crossOriginResourcePolicy: { policy: "same-site" } })); | ||
``` | ||
@@ -362,9 +364,9 @@ | ||
// Sets "Cross-Origin-Resource-Policy: same-origin" | ||
app.use(helmet.crossOriginResourcePolicy()) | ||
app.use(helmet.crossOriginResourcePolicy()); | ||
// Sets "Cross-Origin-Resource-Policy: same-site" | ||
app.use(helmet.crossOriginResourcePolicy({policy: "same-site"})) | ||
app.use(helmet.crossOriginResourcePolicy({ policy: "same-site" })); | ||
// Sets "Cross-Origin-Resource-Policy: cross-origin" | ||
app.use(helmet.crossOriginResourcePolicy({policy: "cross-origin"})) | ||
app.use(helmet.crossOriginResourcePolicy({ policy: "cross-origin" })); | ||
``` | ||
@@ -400,15 +402,15 @@ | ||
app.use( | ||
helmet.expectCt({ | ||
maxAge: 86400 | ||
}) | ||
) | ||
helmet.expectCt({ | ||
maxAge: 86400, | ||
}) | ||
); | ||
// Sets "Expect-CT: max-age=86400, enforce, report-uri="https://example.com/report" | ||
app.use( | ||
helmet.expectCt({ | ||
maxAge: 86400, | ||
enforce: true, | ||
reportUri: "https://example.com/report" | ||
}) | ||
) | ||
helmet.expectCt({ | ||
maxAge: 86400, | ||
enforce: true, | ||
reportUri: "https://example.com/report", | ||
}) | ||
); | ||
``` | ||
@@ -438,13 +440,13 @@ | ||
app.use( | ||
helmet.referrerPolicy({ | ||
policy: "no-referrer" | ||
}) | ||
) | ||
helmet.referrerPolicy({ | ||
policy: "no-referrer", | ||
}) | ||
); | ||
// Sets "Referrer-Policy: origin,unsafe-url" | ||
app.use( | ||
helmet.referrerPolicy({ | ||
policy: ["origin", "unsafe-url"] | ||
}) | ||
) | ||
helmet.referrerPolicy({ | ||
policy: ["origin", "unsafe-url"], | ||
}) | ||
); | ||
``` | ||
@@ -478,22 +480,22 @@ | ||
app.use( | ||
helmet.hsts({ | ||
maxAge: 123456 | ||
}) | ||
) | ||
helmet.hsts({ | ||
maxAge: 123456, | ||
}) | ||
); | ||
// Sets "Strict-Transport-Security: max-age=123456" | ||
app.use( | ||
helmet.hsts({ | ||
maxAge: 123456, | ||
includeSubDomains: false | ||
}) | ||
) | ||
helmet.hsts({ | ||
maxAge: 123456, | ||
includeSubDomains: false, | ||
}) | ||
); | ||
// Sets "Strict-Transport-Security: max-age=123456; includeSubDomains; preload" | ||
app.use( | ||
helmet.hsts({ | ||
maxAge: 63072000, | ||
preload: true | ||
}) | ||
) | ||
helmet.hsts({ | ||
maxAge: 63072000, | ||
preload: true, | ||
}) | ||
); | ||
``` | ||
@@ -522,3 +524,3 @@ | ||
// Sets "X-Content-Type-Options: nosniff" | ||
app.use(helmet.noSniff()) | ||
app.use(helmet.noSniff()); | ||
``` | ||
@@ -545,3 +547,3 @@ | ||
// Sets "Origin-Agent-Cluster: ?1" | ||
app.use(helmet.originAgentCluster()) | ||
app.use(helmet.originAgentCluster()); | ||
``` | ||
@@ -571,13 +573,13 @@ | ||
app.use( | ||
helmet.dnsPrefetchControl({ | ||
allow: false | ||
}) | ||
) | ||
helmet.dnsPrefetchControl({ | ||
allow: false, | ||
}) | ||
); | ||
// Sets "X-DNS-Prefetch-Control: on" | ||
app.use( | ||
helmet.dnsPrefetchControl({ | ||
allow: true | ||
}) | ||
) | ||
helmet.dnsPrefetchControl({ | ||
allow: true, | ||
}) | ||
); | ||
``` | ||
@@ -606,3 +608,3 @@ | ||
// Sets "X-Download-Options: noopen" | ||
app.use(helmet.ieNoOpen()) | ||
app.use(helmet.ieNoOpen()); | ||
``` | ||
@@ -632,13 +634,13 @@ | ||
app.use( | ||
helmet.frameguard({ | ||
action: "deny" | ||
}) | ||
) | ||
helmet.frameguard({ | ||
action: "deny", | ||
}) | ||
); | ||
// Sets "X-Frame-Options: SAMEORIGIN" | ||
app.use( | ||
helmet.frameguard({ | ||
action: "sameorigin" | ||
}) | ||
) | ||
helmet.frameguard({ | ||
action: "sameorigin", | ||
}) | ||
); | ||
``` | ||
@@ -668,13 +670,13 @@ | ||
app.use( | ||
helmet.permittedCrossDomainPolicies({ | ||
permittedPolicies: "none" | ||
}) | ||
) | ||
helmet.permittedCrossDomainPolicies({ | ||
permittedPolicies: "none", | ||
}) | ||
); | ||
// Sets "X-Permitted-Cross-Domain-Policies: by-content-type" | ||
app.use( | ||
helmet.permittedCrossDomainPolicies({ | ||
permittedPolicies: "by-content-type" | ||
}) | ||
) | ||
helmet.permittedCrossDomainPolicies({ | ||
permittedPolicies: "by-content-type", | ||
}) | ||
); | ||
``` | ||
@@ -701,3 +703,3 @@ | ||
// Removes the X-Powered-By header if it was set. | ||
app.use(helmet.hidePoweredBy()) | ||
app.use(helmet.hidePoweredBy()); | ||
``` | ||
@@ -726,3 +728,3 @@ | ||
// Sets "X-XSS-Protection: 0" | ||
app.use(helmet.xssFilter()) | ||
app.use(helmet.xssFilter()); | ||
``` | ||
@@ -729,0 +731,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
87158
709
0